Posted
by
timothy
on Friday February 01, 2013 @07:46PM
from the no-more-jeans-all-patches dept.

darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."

The knee-jerk reaction of getting the patches for Java out now following public criticism is not going to make up for their previous apparent disinterest in supporting the platform. The damage they have done to the reputation of Java is incalculable, and I for one as a C++ programmer thank them for it!

I know Oracle didn't write Java to being with but they sure had a hard-on to acquire it, presumably so soak up profits by wedging themselves in to yet more enterprise services. I'd like them to take ownership of this issue and really hammer out these nasty problems.

Didn't they just do exactly that? Granted there are probably still lots of other unannounced issues, but this is a good step in the right direction.

Does another patch change the fact that Java runs slower than new programming languages like Nimrod [nimrod-code.org], which let developers accomplish the same tasks in far less code?

there's a new latest greatest language every 6 months. customers don't like to re-write their platforms every 6 months when language X goes out of favor and they can't hire people to maintain their code or get updates for the runtime / tools.

do you think it's possible that nimrod also has security flaws, but they haven't been exposed... consider the usage of java vs. nimrod and therefore the interest of hackers in finding the security flaws?

I'm sure there are enough that I feel fairly confident in my advice to just not install Java unless you really, really need it. Which, unless you're a developer or a Minecraft addict, you really don't.

So I have the JDK installed, but the plugin disabled. (Well, I have the 64-bit JDK installed and use 32-bit Firefox, which works well enough on that front.)

You forget the place that Java has had the most success: Enterprise computing.

I'll agree that the sum total of the Java Plugin + JDK Libraries + JVM provides too much opportunity to attack on the desktop / web app space. There's simply too many flaws in the plugin and libraries. The JVM itself, though, is very solid (fewer than 10 major flaws over 15 years).

However, Java as a middleware platform is simply far better than any of the alternatives, and that's where I expect it to remain. Insulated from the types of attacks that render Java dangerous on the desktop, middleware app servers play directly to Java's big strengths: speed, ease of development, and massive library support, plus a framework which helps discourage the types of coding flaws that hurt middleware computing the most. Java will likely remain king of middlewhere for a long time, and deservedly so.

On the desktop or as a downloadable app, well, yes, Java is simply never going to measure up to the better cross-platform alternatives.

It is good that they released the patches, but since they waited until DHS actually suggested uninstalling it (and all the implications of that) to do so, it doesn't inspire much confidence. If they want to rehabilitate their reputation, they're going to have to be MUCH more proactive about security and it will take a while to convince people.

Seriously, I have 1.6.0_39 and 1.7.0_13 happily running together on all the platforms that I'm responsible for (Linux, Windows, UNIX of various flavors).

This patch was rather important in that there are some server side security issues being patched as well as browser plugin issues.

I'm seeing all of this hate, but you know what, I just don't get it. Software of any complexity has bugs. Microsoft used to be the champion of security exploits. Now it's Java. And lest anyone forget, there are myriads of PHP / Ruby / Python security bugs that allow systems to be exploited. I'm not even sure that there's a secure Ruby on Rails platform at this point, for example. I don't know for certain about Ruby, since the only Ruby platform I have right now is for Redmine.

I guess though everyone likes the Faux News mentality of computer security reporting. It garners page clicks, makes people feel important and is a lot easier than actually doing any work. It's like the hit piece someone at InfoWorld did on a Spring Framework bug that could possibly be exploited (albeit not very easily). The sensationalist piece completely overlooked the fact that the issue had been addressed over a year ago. The "journalist" at InfoWorld was too busy jumping on the "all things Java are evil and insecure" bandwagon to do the tiny bit of research needed to write intelligently about the problem . ..

Just like people are now doing about the current issue . ..

My favorite comment so far has been along the following lines

Sure, they may have fixed these security flaws, but there's no guarantee that this will fix future security flaws. It's better that you just go ahead and uninstall Java now.

Sure, [insert-least-favorite-software-of-the-day] may be patched now, but will it remain patched?

I thought at least professionals were a bit more intelligent than this. I guess not.

I agree with 1 and have no opinion on 3. But for the second? I've only worked in one major tech company in my life, but from what i've heard the attitude is pretty uniform through most of them. The people that last are usually company men to the core. Most of the people who stick around very long do it for the brand/name and drink the cool aid mind body and soul. I could see holy war about something happening before they were even out of school pretty easily.